🔥码云GVP开源项目 12k star Uniapp+ElementUI 功能强大 支持多语言、二开方便! 广告
要为Ambassador启用TLS,您需要做一些事情: 您需要TLS证书。 对于任何生产用途,您需要一个与您的TLS证书相匹配的DNS记录`Common Name`。 您需要将证书存储在Kubernetes的`secret`中。 您可能需要使用该tls模块配置其他Ambassador TLS选项。 所有这些要求意味着在第一次配置Ambassador之前决定启用TLS是最容易的。在设立Ambassador之后可以切换,但这很烦人。 ## 1. 获取TLS证书 ``` $ openssl genrsa -out private.key 2048 $ openssl req -new -key private.key -out cert.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:zhoutong Organizational Unit Name (eg, section) []:keji Common Name (eg, your name or your server's hostname) []:univer Email Address []:wu_mingsheng@126.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []: $ openssl x509 -req -days 365 -in cert.csr -signkey private.key -out cert.crt Signature ok subject=/C=cn/ST=beijing/L=beijing/O=zhoutong/OU=keji/CN=univer/emailAddress=wu_mingsheng@126.com Getting Private key $ ll total 12 -rw-r--r-- 1 root root 1298 Nov 26 02:05 cert.crt -rw-r--r-- 1 root root 1082 Nov 26 02:03 cert.csr -rw-r--r-- 1 root root 1675 Nov 26 02:00 private.key ``` 申请证书需要Ambassador的 Common Name (CN),在实践中使用https的时候,CN是非常重要的。如果CN和Ambassador的域名对应不上,TLS拒绝连接。因此,请使用DNS名称为CN,并在步骤2中确保所有内容都匹配。 ## 2. 您需要一个DNS名称。 ``` kubectl apply -f https://www.getambassador.io/yaml/ambassador/ambassador-https.yaml ``` ``` --- apiVersion: v1 kind: Service metadata: creationTimestamp: null labels: service: ambassador name: ambassador spec: type: NodePort ports: - name: ambassador port: 443 targetPort: https nodePort: 31584 selector: service: ambassador ``` ## 3.您需要将证书存储在Kubernetes中secret。 创建一个secret名为的Kubernetes ambassador-certs: ``` kubectl create secret tls ambassador-certs --cert=$FULLCHAIN_PATH --key=$PRIVKEY_PATH ``` 其中$FULLCHAIN_PATH是包含证书证书链的单个PEM文件的路径(包括 Ambassador 的证书和所有相关的中间证书 - 这就是Let的加密调用fullchain.pem),并且$PRIVKEY_PATH是相应私钥的路径。 ## 4. 安装ambassador ``` kubectl apply -f https://getambassador.io/yaml/ambassador/ambassador-rbac.yaml ``` ## 5. 使用ambassador tls ``` --- apiVersion: v1 kind: Service metadata: name: say-hello annotations: getambassador.io/config: | --- apiVersion: ambassador/v0 kind: Mapping name: say-hello_mapping prefix: /say-hello/ service: say-hello spec: selector: app: say-hello ports: - port: 80 name: http-qotm targetPort: http-api --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: say-hello spec: replicas: 1 strategy: type: RollingUpdate template: metadata: labels: app: say-hello spec: containers: - name: say-hello image: woms/say-hello:0.0.1 ports: - name: http-api containerPort: 8080 ``` ## 6. 验证 ``` https://10.10.2.65:31584/say-hello/say/hello ```